Brief Summary

This section describes how a tester can check if it is possible to enter code as input on a web page and have it executed by the web server. More information about Code Injection can be found here.

Description of the Issue

In code injection testing, a tester submits input that is processed by the web server as dynamic code or as an included file. These tests can target various server-side scripting engines, e.g.., ASP or PHP. Proper input validation and secure coding practices need to be employed to protect against these attacks.

Black Box testing and example

Testing for PHP Injection vulnerabilities:

Using the querystring, the tester can inject code (in this example, a malicious URL) to be processed as part of the included file: